Bug 238239

Summary: REGRESSION (r287807): WEBGL_multi_draw validation rejecting valid arguments
Product: WebKit Reporter: Kenneth Russell <kbr>
Component: WebGLAssignee: Kimmo Kinnunen <kkinnunen>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, changseok, darin, dino, esprehn+autocc, ews-watchlist, gyuyoung.kim, kbr, kkinnunen, kondapallykalyan, kpiddington, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=220753
https://bugs.webkit.org/show_bug.cgi?id=238303
Bug Depends on:    
Bug Blocks: 222812, 238240    
Attachments:
Description Flags
Patch
none
alternative impl
none
alternative impl
none
Patch none

Description Kenneth Russell 2022-03-22 16:29:30 PDT 
A change was made to the validation code for WEBGL_multi_draw in Bug 234966 which was incorrect. Unfortunately, it causes about half of the tests in conformance/extensions/webgl-multi-draw.html to fail, and breaks customer applications, as reported on https://groups.google.com/g/webgl-dev-list .
Comment 1 Kenneth Russell 2022-03-22 16:51:55 PDT 
Created attachment 455455 [details]
Patch
Comment 2 Kenneth Russell 2022-03-22 16:56:24 PDT 
Kimmo / Brent / Darin: please review. Thanks.

Confirmed by running:
https://www.khronos.org/registry/webgl/sdk/tests/conformance/extensions/webgl-multi-draw.html

locally that this fixes the test.
Comment 3 Darin Adler 2022-03-23 05:36:33 PDT 
Comment on attachment 455455 [details]
Patch

This seems too complicated to me. Couldn’t this also be solved by removing the incorrect type cast of size - drawCount to GCGLuint?
Comment 4 Darin Adler 2022-03-23 05:38:02 PDT 
Comment on attachment 455455 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=455455&action=review

> Source/WebCore/html/canvas/WebGLMultiDraw.cpp:-137
> -    if (offset >= static_cast<GCGLuint>(size - drawcount)) {

The bug seems to be that this can chop a large integer to a smaller one. Can we just change this to not do that rather than adding more code?
Comment 5 Darin Adler 2022-03-23 05:40:08 PDT 
Comment on attachment 455455 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=455455&action=review

>> Source/WebCore/html/canvas/WebGLMultiDraw.cpp:-137
>> -    if (offset >= static_cast<GCGLuint>(size - drawcount)) {
> 
> The bug seems to be that this can chop a large integer to a smaller one. Can we just change this to not do that rather than adding more code?

Or is the real problem that this is used >=  rather than >?

I’d like to understand what the actual problem was before weighing in on the solution.
Comment 6 Darin Adler 2022-03-23 05:41:29 PDT 
Your post about this says there are “gaps in WebGL testing in WebKit” but this patch does not include any new WebGL tests.
Comment 7 Darin Adler 2022-03-23 05:43:22 PDT 
Webkit policy requires adding a new test case when fixing a bug so we do need to add a test case here.
Comment 8 Darin Adler 2022-03-23 05:44:19 PDT 
We can turn https://www.khronos.org/registry/webgl/sdk/tests/conformance/extensions/webgl-multi-draw.html into a test case perhaps?
Comment 9 Darin Adler 2022-03-23 05:45:04 PDT 
Is there something that prevents us from using these Kronos test cases as part of the Webkit test suite?
Comment 10 Radar WebKit Bug Importer 2022-03-23 05:47:41 PDT 
<rdar://problem/90694727>
Comment 11 Radar WebKit Bug Importer 2022-03-23 05:48:51 PDT 
<rdar://problem/90694765>
Comment 12 Darin Adler 2022-03-23 05:49:35 PDT 
I see now, by to 20753 is the reason we had this untested. Is there something we can do to resolve that so that we can at least run some of that test?
Comment 13 Darin Adler 2022-03-23 06:04:59 PDT 
Besides the disabled test leaving us vulnerable, my suggestion for a cleaner way to write the range check in the first place is probably what led to the mistake. I understand if others would like to take Ken‘s patch as is. I would, however, like to understand what was wrong with the original and I think that could lead to a more elegant fix. However I will not insist on this; urgent, I think, to have this fixed one way or another.
Comment 14 Kimmo Kinnunen 2022-03-23 07:14:43 PDT 
Created attachment 455495 [details]
alternative impl
Comment 15 Kimmo Kinnunen 2022-03-23 07:16:48 PDT 
Created attachment 455496 [details]
alternative impl
Comment 16 Kimmo Kinnunen 2022-03-23 07:19:42 PDT 
*** Bug 237418 has been marked as a duplicate of this bug. ***
Comment 17 Darin Adler 2022-03-23 07:46:35 PDT 
Comment on attachment 455496 [details]
alternative impl

Yes, I like this better. i’m gonna say r=me on this one, assuming we make sure tests really are all passing
Comment 18 Kenneth Russell 2022-03-23 11:35:56 PDT 
Created attachment 455532 [details]
Patch
Comment 19 Kenneth Russell 2022-03-23 11:38:25 PDT 
Darin and Kimmo, thanks for your review and for pointing out the alternative implementation (and my unclear description of what was wrong). Anyway, here is Kimmo's patch with his authorship attributed in the ChangeLog, and the tests marked Slow in TestExpectations as they take a while to run. If the EWS is green I'll CQ this later today.
Comment 20 Kenneth Russell 2022-03-23 18:34:00 PDT 
The http/wpt/webrtc/getUserMedia-processSwapping.html failure on mac-AS-debug-wk2 is unrelated; filed Bug 238303 about it. Notably, webgl-multi-draw.html passed in that run in both the WebGL 1.0.x and 2.0.y conformance tests:
https://ews-build.webkit.org/#/builders/60/builds/27223
Comment 21 Kenneth Russell 2022-03-23 18:35:11 PDT 
Kimmo, could you take over this patch from me and try to land it during your workday? In particular, to see if the other EWS bots pass.
Comment 22 EWS 2022-03-24 05:45:35 PDT 
Committed r291791 (248819@main): <https://commits.webkit.org/248819@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 455532 [details].
Comment 23 Brent Fulgham 2022-05-26 15:03:24 PDT 
This fix shipped with Safari 15.5 (all platforms).